Whom should I put my trust?

Axel Thimm Axel.Thimm at physik.fu-berlin.de
Tue Nov 25 07:04:58 UTC 2003

On Tue, Nov 25, 2003 at 02:06:15PM +0800, Chris Kloiber wrote:
> On Tue, 2003-11-25 at 05:12, Timothy Ha wrote:
> > Thank you!
> > 
> > I still have some questions (not doubts): With thrilling stories like 
> > someone break into Linux kernel source, how do you guarant the quality 
> > of the repositories? Security updates, system tools and so on are there.
> > 
> > Will Redhat be some guarantee to all these things?
> Not necessarily, but... 
> The packages are all signed with GPG if they are officially part of the
> Fedora project. Your up2date/apt/yum should be configured to check these
> signatures before installing anything, and to scream "bloody-blue
> murder" if they are not correctly signed. 

Well, almost all non-redhat.com repos are GPG signing as well. GPG
signed packages with keys from the same originating site only ensures
that you get what the packager produced. The difference being that I
would trust a redhat.com key more than a my.repo.for.fc1.hackz key ;)

> You should be able to find the official keys and and explanation of
> their uses here:
> http://fedora.redhat.com/about/security/

Maybe RH could consider verifying some IDs of packagers/repos and sign
their keys (and vice versa, RH's key is not signed by any other key)?
That would be a good establishment to create a true web of trust.
Axel.Thimm at physik.fu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20031125/b7c7b8eb/attachment-0002.bin 

More information about the users mailing list